INFORMATION ON THE PROCESSING OF YOUR PERSONAL DATA



BACKGROUND


At Nudge Labs AB ("Nudge Labs", "we" or "us"), we protect your privacy and strive towards always maintaining a high level of data protection. 


This privacy notice describes how we collect and use Personal data that is provided to us via our website www.nudgelabs.com or our application NudgeLabs, and when our services are used. It also describes your rights and how you can exercise them. 

If you have any questions, you are always welcome to contact us.


Throughout this privacy notice, the term "processing" is used, which includes all operations involving Personal data, including without limitation, collection, handling, storage, sharing, access, use, transfer and deletion of Personal data.


"Applicable legislation" means applicable laws, ordinances and regulations, including regulations issued by relevant supervisory authorities, concerning the protection of the fundamental rights and freedoms of natural persons and in particular the right to the protection of their Personal data applicable to the processing in question; including Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) ("GDPR") as well as laws, ordinances and regulations supplementing the GDPR.


"Personal data" shall have the meaning ascribed to it under the GDPR and means any information relating to an identifiable or identified natural person.


WHO IS THE DATA CONTROLLER FOR THE PERSONAL DATA WE COLLECT?


Nudge Labs AB, company registration number 559308-7652, Döbelnsgatan 31, 113 58 Stockholm, is the data controller for the company's processing of Personal data.


FROM WHERE DO WE COLLECT PERSONAL DATA?


We collect Personal data from: 

  • You, that you either provide to us yourself or that we collect from your wearable device, or through the use of our products or website visits.
  • Your employer, such as your email address, the name of your employer and organizational belonging. 

WHEN AND WHY DO WE PROCESS PERSONAL DATA?

Administer the use of our services

We process your Personal data in order to manage the customer relationship with your employer and which is necessary to provide you with our services. 

Categories of Personal data

  • Identity information
  • Contact information

Legal basis
Legitimate interest.
The processing is necessary to provide our services.

Retention period
Personal data is retained until you choose to terminate your account.


Analyze personal data provided in the app, including notifying your employer of the results regarding your work environment


We process your Personal as provided or generated when you use our services. 

We share the results regarding your health data with your employer only in an anonymized and aggregated form. 

Categories of Personal data

  • Contact information
  • Identity information
  • Health information

Legal basis

Consent.

We process your personal data on the basis of your consent.

We process sensitive Personal data, e.g. information about health, on the basis of your explicit consent.


Retention period

Personal data regarding health is stored for five (5) years. 

If you withdraw your consent (i.e. de-register from our services) all data pertaining to you will be deleted within 30 days. 


Manage and respond to questions and potential complaints


If you contact us, e.g. via our digital channels, we will process your Personal data that you provide us with to communicate with you and respond to and investigate any questions and/or complaints that you may have (including technical support).


Categories of Personal data

  • Identity information
  • Contact information
  • Your communication
  • Health information


Legal basis

Legitimate interest.

The processing is necessary to fulfill our legitimate interest in managing and responding to your submitted questions and/or complaints.

Exceptions for sensitive Personal data

We process any sensitive Personal data, e.g. health information that you provide in your communication to establish, exercise and defend legal claims.


Retention period

Personal data e.g. health data is retained until the customer service matter has been completed. Data necessary to document communications regarding contractual obligations or infractions may be retained for the legally mandated period for accounting purposes.


Evaluate, develop and improve our services


We will process your Personal data as we generate data for the purpose of improving our services. Based on the information we collect, we analyze the data on an aggregated level using deidentified or pseudonymized data, without any connection to you as an individual (e.g. improve the user interface to simplify the flow of information or to highlight functions that are often used by customers).


Categories of Personal data

  • Our communication
  • Feedback to us
  • Application usage
  • Health information

Legal basis

Legitimate interest.

The processing is necessary to fulfill our legitimate interest in evaluating, developing and improving our services, products and systems.


Retention period

Reports at an aggregate level that do not contain any Personal data and statistics are stored for an indefinite period.


Evaluate and monitor the use of our application or website

We will process your Personal data when customizing services to become more performant and effective. In order to analyze and better understand how you use our application or website, we further process your Personal data, which we e.g. as collected via cookies, application performance monitoring or similar technologies.


Categories of Personal data

  • Identity information
  • Geographical information
  • Application usage

Legal basis

Legitimate interest.

The processing is necessary to fulfill our legitimate interest in evaluating and monitoring the use of our application or website.

Retention period

Reports at an aggregate level that do not contain any Personal data and statistics are stored for an indefinite period.



Provide you with tailored marketing

Application

NudgeLabs will not share your Personal health data with partners.


Website

We process your Personal data to provide you with tailored marketing that we deem to be of interest to you. We do this by the use of e.g. cookies, and similar techniques, which help us and our partners to display relevant ads on various websites based on your visit and click history.


Categories of Personal data

  • User-generated data
  • Identity information
  • Geographical information


Legal basis

Consent

The processing that enables us and our partners to provide you with tailored marketing is based on your consent


Retention period

Your Personal data is retained for a period of 5 years from the time of collection.



Manage and address legal claims

In order to manage and address legal claims, e.g. in connection with a dispute or legal process, we process your personal data (where applicable).


Categories of Personal data

All information necessary to manage and address the legal claim.


Legal basis

Legitimate interest

The processing is necessary to fulfill our legitimate interest in managing and addressing legal claims, e.g. in connection with a dispute or legal process.

The processing of personal identity number is necessary in view of the purpose of the processing.


Exceptions for sensitive Personal data

We only process sensitive Personal data, including information about crime or suspected crime, when necessary in order to establish, exercise and defend legal claims.


Retention period

Personal data is retained during the period necessary to manage and address the legal claim.


Fulfill legal obligations

We process your Personal data in order to fulfill other legal obligations to which we are subject, in addition to the legal obligations mentioned above in this privacy notice. Such obligations may e.g. include obligations regarding accounting and bookkeeping as well as requirements pursuant to the Data Protection Regulation.


Categories of Personal data

All information that is necessary to fulfill the respective legal obligation.


Legal basis

Legal obligation

The processing is necessary to fulfill legal obligations to which we are subject.


Retention period

Personal data is retained for the period necessary in order for us to fulfill legal obligations to which we are subject.


Manage and protect systems and services

We process your personal data if necessary in order to manage and protect our IT systems and services, e.g. in connection with logging, troubleshooting, backup, change and problem management in systems and in connection with any IT incidents.


Categories of Personal data

All information listed above


Legal basis

Legitimate interest

The processing is necessary to fulfill our legitimate interest in managing and protecting our IT systems and services.


Retention period

Personal data is retained for the same period as stated in relation to the respective purpose above. Personal data in logs is retained for troubleshooting, audits and incident management for a period of 12 months from the time of the event giving rise to the log.


RECIPIENTS WHO WE SHARE PERSONAL DATA WITH

When necessary, we share Personal data with the recipients specified below. Unless otherwise stated, named recipients are independent data controllers for their own processing of Personal data.


Authorities (e.g. the Police and the Swedish Tax Agency)

  • Purpose: In order to fulfill any legal obligations to which we are subject, e.g. in connection with requests from authorities or other legal claims.
  • Legal basis: Legal obligation. The processing is necessary to fulfill legal obligations to which we are subject.

Authorities (incl. courts) and legal representatives

  • Purpose: In order to fulfill any legal obligations to which we are subject, e.g. in connection with requests from authorities or other legal claims.
  • Legal basis: Legal obligation. The processing is necessary to fulfill legal obligations to which we are subject.

Buyers, sellers and external advisors/other parties involved

  • Purpose: To enable business changes, e.g. sale or merger of the business or investments in general.
  • Legal basis: Legitimate interest. The processing is necessary to fulfill our legitimate interest in conducting and executing business changes.


Service providers

To fulfill the purposes of the processing of Personal data, we share your Personal data with service providers that we have engaged. These suppliers provide services within e.g. IT services (companies that manage necessary operations, technical support and maintenance of our services provided to you and our IT systems). The service providers we have engaged are only allowed to process your Personal data in accordance with our explicit instructions and may not use your data for their own purposes. They are also required by law and agreement to take the appropriate technical and organizational security measures in order to protect your information.

Health data is only shared in either deidentified or pseudonymized form.


Appropriate safeguards for the transfer of Personal data to third countries

If Nudge Labs transfers or discloses your Personal data to a recipient in a country outside the EU/EEA area (third country), NudgeLabs will ensure that appropriate safeguards have been taken (such as the EU Commission's standard contract clauses and other necessary measures) in order to protect Personal data.

Pursuant to applicable data protection legislation, you have the right, upon request, to receive a copy of the documentation demonstrating that the necessary protective measures have been taken in order to protect your Personal data when transferring it to a third country.

If you would like to know more about the processing of your Personal data and if your Personal data is transferred to a third country, please contact us by using the contact information below.


SECURITY

We will ensure that access to your information is adequately protected by having appropriate security measures implemented and, depending on the circumstances, taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks. To uphold this warranty, we have also implemented appropriate technical, physical and organizational measures to protect your Personal data from unlawful or accidental destruction, alteration or disclosure, misuse, damage, theft or loss by accident or unauthorized access.


YOUR RIGHTS

Rights in relation to your Personal data

In connection with our processing of your Personal data, you may, under certain conditions, exercise the following rights:


Access

You can request confirmation of whether or not your Personal data is being processed and, if it is being processed, request access to your Personal data and additional information such as the purpose of the processing. You also have the right to receive a copy of the Personal data that is processed. If the request is submitted electronically, the information will also be obtained in a commonly used electronic form unless you request otherwise.


Rectification

If you notice that Personal data about you is inaccurate or incomplete, you have the right to have your Personal data rectified.


Object to specific processing

You can object to processing of your Personal data if it is based on a legitimate interest, on grounds relating to your particular situation or if the processing takes place for direct marketing purposes. If we are unable to demonstrate compelling legitimate grounds to continue processing, that override your interests, or if the processing is not necessary to establish, exercise and defend legal claims, we are obliged to cease the processing


Erasure

You can have your Personal data erased under certain circumstances, e.g. when the Personal data is no longer needed to fulfill the purpose for which the Personal data was collected.


Restrict processing

Under certain circumstances, you can request that we restrict the processing of your Personal data to only involve the storage of your Personal data, e.g. when the processing is unlawful but you do not want your Personal data deleted.


Withdraw consent

To the extent that the processing of Personal data is based on your consent, you always have the right to withdraw your consent.


Data portability

You have the right to request a machine-readable copy of the Personal data processed based on your consent or when the processing is necessary to fulfill an agreement with you as well as when Personal data has been obtained from you (data portability), and to request that the information be transferred to another data controller (if possible).


Complaints to the supervisory authority

You are welcome to contact us with questions or complaints regarding the processing of your Personal data. However, you also always have the right to lodge a complaint regarding the processing of your Personal data to the Swedish Authority for Privacy Protection.


CONTACT US

If you have any questions regarding the processing of your Personal data or if you wish to exercise any of your rights pursuant to applicable data protection legislation, please contact NudgeLabs by using the contact details below. If needed, we have the right to change and supplement the privacy notice.


The Data Controller is: 

Nudge Labs AB

Döbelnsgatan 31

113 58 Stockholm Sweden

Email address:

dpo@nudgelabs.com 


CATEGORIES OF PERSONAL DATA

Below you will find an explanation of the categories of Personal data that we may collect and store about you and examples about what they may contain.


  • User-generated data
    • Website
      Click and visit history, technical data regarding used devices and their settings (e.g. language setting, IP address, browser settings, time zone, operating system, screen resolution and platform), information about how you interacted with us, login method, which pages and how long different pages have been visited, response times, download errors, how to access and leave the service, etc.
    • Application
      Click and visit history, technical data regarding used devices and their settings (e.g. language setting, IP address, browser settings, time zone, operating system, screen resolution and platform), login method, which views and how long different views have been visited, response times, etc.
  • Demographic data
    • Gender, age
  • Your communication
    • Personal data that you provide in your communication with us
  • Geographical information
    • Location data from your device that e.g. may be collected via cookies
  • Health information
    • Information regarding inter alia your sleep, rest, activity and stress
  • Identity information
    • Name, the name of your employer
  • Contact information
    • Email address and phone number
  • Results regarding your work environment
    • Information based on your health information regarding your work environment on an anonymized and aggregated level
  • Information about feedback
    • Opinions and comments regarding our services and products, e.g. from surveys and studies
  • Account information
    • Username/email address, password

Privacy Policy Version: 1.2.0